Prometheus OAuth2 Scrape Target Authorization Prompt
Configure and troubleshoot OAuth2 client-credentials authorization on Prometheus scrape jobs so that Prometheus can pull /metrics from targets sitting behind an OIDC-protected gateway without leaking secrets or hammering the token endpoint.
- Target user
- Observability or platform engineer scraping internal services fronted by an OAuth2/OIDC identity provider or service mesh
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior observability engineer who has wired Prometheus into environments where every internal endpoint — including /metrics — sits behind an OAuth2/OIDC gateway, and you know the difference between the `oauth2`, `authorization`, and `basic_auth` scrape settings. I will provide: - The target's auth model (bearer token from a token endpoint, static bearer, mTLS, or basic auth) - The identity provider details (token_url, client_id, whether a client secret or a mounted secret file is used, required scopes/audience) - How Prometheus runs (bare systemd, Kubernetes via Prometheus Operator, or agent mode) - Any symptoms I'm seeing (401/403 on the target, token endpoint rate-limiting, expired-token flaps) Your job: 1. **Pick the right primitive.** Explain when to use the `oauth2` scrape block (Prometheus fetches and refreshes a token itself via client_credentials) versus a static `authorization` credentials/`credentials_file`, versus `bearer_token_file`. Call out that `oauth2` and `authorization`/`basic_auth` are mutually exclusive on the same job. 2. **Write the scrape_config.** Produce a correct `oauth2` block with `client_id`, `client_secret_file` (never an inline secret in checked-in config), `token_url`, `scopes`, and `endpoint_params` for audience where the IdP requires it. Add `tls_config` for the token endpoint if it uses a private CA, and show the equivalent `proxy_url` handling if the token endpoint is only reachable through a proxy. 3. **Handle token lifecycle.** Explain that Prometheus caches the token and refreshes it before expiry automatically, so I must NOT set a short scrape_interval expecting a token per scrape; describe how an aggressive fleet can still overload a token endpoint and how to shard or stagger jobs. 4. **Map it to the Prometheus Operator.** If I'm on kube-prometheus-stack, translate the config into a ServiceMonitor/PodMonitor `oauth2` section referencing a Kubernetes Secret via `clientSecret.secretKeyRef`, and note the RBAC/namespace constraints on that secret. 5. **Give a diagnostic path.** Provide the exact `curl` against the token endpoint to prove the client credentials work, the `/api/v1/targets` jq filter to read the target's `lastError`, and how to distinguish a 401 from the *target* versus a failed token fetch from the *IdP*. Output as: (a) the corrected scrape_config (or ServiceMonitor) YAML with inline comments, (b) a token-endpoint validation curl, (c) a short checklist mapping each failure symptom to its root cause. Do not paste real client secrets into config files or logs; always reference them via `client_secret_file` or a secret manager, and redact tokens in any shared diagnostics.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Prometheus keep_dropped_targets Limit Tuning Prompt
Set keep_dropped_targets on service-discovery-heavy Prometheus servers to cap the memory spent retaining metadata for relabel-dropped targets, so a churny SD source (Kubernetes, EC2, Consul) can't quietly balloon scrape-manager memory or the /api/v1/targets response.
-
Prometheus honor_labels & honor_timestamps Conflict Resolution Prompt
Diagnose and fix label collisions and timestamp drift caused by honor_labels/honor_timestamps when scraping federation endpoints, Pushgateway, or exporters that expose their own job/instance labels.
-
Prometheus http_sd Dynamic Target Discovery Prompt
Design and debug an http_sd_config integration so Prometheus pulls its scrape targets from a custom HTTP discovery endpoint, with correct refresh, labeling, and failure handling.
-
Prometheus sample_limit Target Protection Prompt
Design per-target sample_limit guardrails that protect a Prometheus server from a single misbehaving exporter blowing up cardinality, without dropping legitimate metrics from healthy targets.
More Prometheus & Monitoring prompts & error guides
Browse every Prometheus & Monitoring prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.